Wired Networks Thread, VLANS in Technical; I've never actually used a VLAN and we're running out of IP addresses and so thought it would be good ...
11th June 2014, 11:03 AM #1
I've never actually used a VLAN and we're running out of IP addresses and so thought it would be good to learn and implement them. I know the basics of them but have a question.
I have a unifi wireless system where i would like the guest access to be completely separate to the main network with it's own range and DHCP server. We can have a VLAN setup up on our managed draytek router that just goes straight out to the internet. This would feed into out main switch that i would also tag this port. I would also need to set the guest ssid to the matching VLAN tag within the Unifi software.
Would i need to the rest of the switches in the building to be layer 3? or would the fact I've tagged the traffic for the access points be ok?
11th June 2014, 02:08 PM #2
Doesn't have to be layer 3, but you need to have switches that support tagging (ieee 802.1q) like netgear layer 2+ else the traffic can't get from switch to switch. How you do this depends on switch type / make and the type of vlan you want to create.
11th June 2014, 02:22 PM #3
Everything you have said is correct, but you will also need to tag the vlan to the ports the Unifi are connected to to ensure they turn up at the access point.
13th June 2014, 10:20 AM #4
- Rep Power
Forget vLANs unless you have a need to implement them for security or network segmentation reasons.
They add complication and overhead to all network traffic.
Why not just change your subnet?
We're on 255.255.224.0 which gives us 4000 IP addresses.
There's no need to fiddle with tagging ports, making sure you've connected devices with static IPs into the correct port or anything like that.
13th June 2014, 10:31 AM #5
No they do not really add complication, the benefits of separating VLANS outweight the overheads - especially if you need 4000 IPs.... If you want to worry about overhead, take a look at wireshark and see how much crap all your printers spout over your network and tell me vlanning them off wouldn't be a huge benefit!
13th June 2014, 10:35 AM #6
Agreed, with a network of that size the broadcast traffic would be outrageous! VLAN's are worth the extra bit of time to setup. It also future proofs you for things like VoIP and video streaming if your school heads down these routes.
13th June 2014, 11:24 AM #7
- Rep Power
I don't use them silly, it was just an example of if more IPs is the only reason you're looking at them, then it's not the only solution.
13th June 2014, 11:49 AM #8
- Rep Power
VLANs aren't just for security. They're very useful methods of splitting up network traffic to make the network as a whole more managable. VLANs are definitely worth the small extra overhead on network switches and the extra configuration you'll need to implement them.
The key though, is designing your VLAN structure sensibly.
We have 25 VLANs on our network, mainly because we have over 100 Apple TVs, and the amount of Bonjour traffic they generate means we have to split the network into multiple small segments. If you've ever tried using more than about 10 Apple TVs on the same LAN, you'll know what I mean.
13th June 2014, 11:56 AM #9
VLANs are useful for many reasons, but that's somewhat off topic here.
To successfully use VLANs on a network you need layer 2 switches that support 802.1q, and something to do inter-vlan routing. This can either be a discreet router or a layer 3 switch which supports routing. I use an HP Procurve 5406zl for the routing stuff here.
The setup for the wifi would be, on the switch port the AP is plugged in, untagged for the admin vlan (ie. the vlan which contains the IP address of the AP), and tagged for any VLANs which are used for specific wireless networks. Then in your wireless config, you assign the SSID to the VLAN number.
The core or router would then have routing enabled, to allow traffic to traverse the network from the originating VLAN to any destination VLAN. Those rules can be as wide as "allow everything" (which you'd use for internal network VLANs) or "allow only access to this IP address on this port" which you'd use for guest wireless.
13th June 2014, 11:59 AM #10
It's also prudent to think ahead. If you need to make changes to your network anyway, you might as well set yourself up for the future otherwise you'll just make more work for yourself. We needed to expand our IP allocation (gave ourselves 8000 - slight overkill but semeed to make sense, given the following assumptions:
Every pupil has a device (smartphone) and the possibility of a 1:1. Not probably, but possible.
Every staff member has a device (smartphone) and the possibility of a school provided device.
Around 100 wirelessly connected devices on top of those.
Possibility and probability are different things, and by working to what is possible, we are very well set for the future, whatever it brings. There was a learning curve getting vlans and subnets in place but very, very well worth it.
13th June 2014, 12:39 PM #11
Another example, I just created a 5 port switch within a 24 port switch for WAN using VLANS
10th July 2014, 10:45 AM #12
Thanks for all the replies.
I'm a little confused at the moment. We have 15 unifi access points. For these access points we can setup different SSIDs and tie them to different VLANS. If i tag the ports that these access points feed into which VLAN do i use?
As an example:
We have a guest wifi and our main school wifi.
If the guest wifi ssid was set to vlan10 what would we set the port on the switch too so the main school ssid still worked?
or can you set ports to more than one vlan?
Last edited by nathan; 10th July 2014 at 10:51 AM.
10th July 2014, 10:50 AM #13
The "management VLAN" should be untagged. Then all the VLANs for the wireless SSIDs would be tagged.
10th July 2014, 10:57 AM #14
Each one that exists on the Unifi as a SSID. For example we currently have 2 ssid, one is a guest with DHCP provided by the firewall on VLAN 6, the other is our main wireless on VLAN 1. The switch config tags VLAN 6 to each port with a Unifi hung off it. VLAN 1 is the default VLAN
Originally Posted by nathan
10th July 2014, 11:09 AM #15
So am i correct in saying i could have the following on a port:
Originally Posted by localzuk
By ChrisH in forum Wireless Networks
Last Post: 7th December 2006, 12:14 PM
By dezt in forum Wireless Networks
Last Post: 29th November 2006, 09:36 AM
Last Post: 6th November 2006, 01:48 PM
By drjturner in forum Wireless Networks
Last Post: 28th September 2006, 08:24 AM
By MrDylan in forum Hardware
Last Post: 9th March 2006, 04:13 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)